0d3546dd8b2e3925cdcae101d47aa582d36850666916ad3ff95d74dad596af51

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31/05/2024, 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f6ff2d23d7db62211977581fac36930_NeikiAnalytics.exe
Size

3.2MB
MD5

0f6ff2d23d7db62211977581fac36930
SHA1

7b22957749a50295dc118f7e5f4289038a3fe953
SHA256

0d3546dd8b2e3925cdcae101d47aa582d36850666916ad3ff95d74dad596af51
SHA512

7305cd4ae853d46322134cb97474e619a953cdfbe1b455308225d553526894907a1dbec5e9451ff601b598d90476894e68a90edd4fdc3f7bb320649bdfb104cc
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBHB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpgbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe	0f6ff2d23d7db62211977581fac36930_NeikiAnalytics.exe

Executes dropped EXE 2 IoCs

pid	Process
2900	locabod.exe
2836	abodloc.exe

Loads dropped DLL 2 IoCs

pid	Process
1964	0f6ff2d23d7db62211977581fac36930_NeikiAnalytics.exe
1964	0f6ff2d23d7db62211977581fac36930_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot28\\abodloc.exe"	0f6ff2d23d7db62211977581fac36930_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintAL\\bodxsys.exe"	0f6ff2d23d7db62211977581fac36930_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1964	0f6ff2d23d7db62211977581fac36930_NeikiAnalytics.exe
1964	0f6ff2d23d7db62211977581fac36930_NeikiAnalytics.exe
2900	locabod.exe
2836	abodloc.exe
2900	locabod.exe
2836	abodloc.exe
2900	locabod.exe
2836	abodloc.exe
2900	locabod.exe
2836	abodloc.exe
2900	locabod.exe
2836	abodloc.exe
2900	locabod.exe
2836	abodloc.exe
2900	locabod.exe
2836	abodloc.exe
2900	locabod.exe
2836	abodloc.exe
2900	locabod.exe
2836	abodloc.exe
2900	locabod.exe
2836	abodloc.exe
2900	locabod.exe
2836	abodloc.exe
2900	locabod.exe
2836	abodloc.exe
2900	locabod.exe
2836	abodloc.exe
2900	locabod.exe
2836	abodloc.exe
2900	locabod.exe
2836	abodloc.exe
2900	locabod.exe
2836	abodloc.exe
2900	locabod.exe
2836	abodloc.exe
2900	locabod.exe
2836	abodloc.exe
2900	locabod.exe
2836	abodloc.exe
2900	locabod.exe
2836	abodloc.exe
2900	locabod.exe
2836	abodloc.exe
2900	locabod.exe
2836	abodloc.exe
2900	locabod.exe
2836	abodloc.exe
2900	locabod.exe
2836	abodloc.exe
2900	locabod.exe
2836	abodloc.exe
2900	locabod.exe
2836	abodloc.exe
2900	locabod.exe
2836	abodloc.exe
2900	locabod.exe
2836	abodloc.exe
2900	locabod.exe
2836	abodloc.exe
2900	locabod.exe
2836	abodloc.exe
2900	locabod.exe
2836	abodloc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2900	1964	0f6ff2d23d7db62211977581fac36930_NeikiAnalytics.exe	28
PID 1964 wrote to memory of 2900	1964	0f6ff2d23d7db62211977581fac36930_NeikiAnalytics.exe	28
PID 1964 wrote to memory of 2900	1964	0f6ff2d23d7db62211977581fac36930_NeikiAnalytics.exe	28
PID 1964 wrote to memory of 2900	1964	0f6ff2d23d7db62211977581fac36930_NeikiAnalytics.exe	28
PID 1964 wrote to memory of 2836	1964	0f6ff2d23d7db62211977581fac36930_NeikiAnalytics.exe	29
PID 1964 wrote to memory of 2836	1964	0f6ff2d23d7db62211977581fac36930_NeikiAnalytics.exe	29
PID 1964 wrote to memory of 2836	1964	0f6ff2d23d7db62211977581fac36930_NeikiAnalytics.exe	29
PID 1964 wrote to memory of 2836	1964	0f6ff2d23d7db62211977581fac36930_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\0f6ff2d23d7db62211977581fac36930_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0f6ff2d23d7db62211977581fac36930_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2900
- C:\UserDot28\abodloc.exe
  C:\UserDot28\abodloc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintAL\bodxsys.exe

Filesize
3.2MB

MD5
1224c6962c1d4fcc2332e8e0406c395f

SHA1
d682871da13627b5276b1b98f86a9602c803aa3f

SHA256
7ea5ee4014866d88d32ecf49cec59360ecbf9dcfe8685c5ff7945d7ee87c9bf1

SHA512
21ed5a6e37077fdc22f879cdd8069ae2c0350ad9cdd4a17f9365dd7a4ef3da8ce121520ff25942c3f31443e0465bbc80ca47da28c80f524bff8602b8641ac8a3

Download Submit
C:\MintAL\bodxsys.exe

Filesize
3.2MB

MD5
1e89cfef898a38a03369760c13e3b3ea

SHA1
9302a5bf6b772bca3672f3849c3511aaad80cbe3

SHA256
c804a20c8d36f4e114a1be23608fcc0accfc1491a20fa617442085eafdca3304

SHA512
9fa4b5cbb916257724acfb90195479fe7bec525d33fa75dc4c0b57dfe44a7e841d0f4adbf213c49c1d23ad50227d65716fee0094068d367eccccf36d03285d6b

Download Submit
C:\UserDot28\abodloc.exe

Filesize
3.2MB

MD5
69384f732aa3f971a3ef26c79e81d392

SHA1
a79534144e002331ce9cfa6e727e38269a22725f

SHA256
48b5db401d65148b6210342650276240bacee739791d0911a8e1432292ad4919

SHA512
62c192ce06ee90fbe60e0febae1c8a323815d1f04cc886b1a8074ac66697d2d62427d14adf02da3e9367192cca4b0c47f956f7064c79fb5e320185bcd8d661d5

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
170B

MD5
3cf4c88183e25de5dce6bde97dbd5c02

SHA1
7a18e0b8b4cdee5375e7e804e6b2bf7f378010f3

SHA256
41d92f28bc45343612abfe33d7869b08f6347df0130ea5b4120eaa9d7a45ece9

SHA512
13c27503f086c5698d0657023c24887f64e3c36438dfcd6956bc38ba05a5a3e2c06a0571dc9ec2b6df4b598a35d37ed71dfe875023f8edf87c6ae3ad3bd2f7ec

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
1aa4e9842f1815f0a6ab70b33a792693

SHA1
9563901b6bc6487298f643c23911dbf6b1d9ab24

SHA256
d2a98c2e13497beba78a185e0c999867c25018a4912b5a8ae345a2a21da15b9a

SHA512
5ff52c8d9fabd77a30abeebaff65ecc52d07236132dfa99a57c93d8c02c23de2781723da239cf8ee265709a36460a0143ca8083a5e34eca8f38f020f03703ba2

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locabod.exe

Filesize
3.2MB

MD5
402e9598bc487691e75c06e540d23604

SHA1
99842809b818de40d88d8a559dca0ba71af2af06

SHA256
d6b2d958bc85e3b36afd0d419d9b337863ce5369fc500010dacccc1248b37315

SHA512
9c54e6c353a1f162600f2e2cfd3c62623cbd4274a41e4d7ae138ad14065f3e630fe9a89808fc18e5bbf8a09ba43ab0d0cdcc9e303fe9d27810185bb22a783b90

Download Submit